Posted on 23 Jul 2012
U.S. cybersecurity efforts are hampered by attacks that go unreported by victims unwilling to divulge confidential information, a research panel said Thursday.
The report by the Bipartisan Policy Center said the number of cyberattacks appears to be on the rise, along with financial losses.
It said that from October 2011 through February 2012, more than 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security, including 86 attacks on "critical infrastructure networks."
But it noted that these "represent only a small fraction of cyber attacks carried out in the United States."
The think tank's cybersecurity task force headed by former National Security Agency chief Michael Hayden and businessman Mortimer Zuckerman said more sharing of information would help bolster cybersecurity.
"Despite general agreement that we need to do it, cyber information sharing is not meeting our needs today," the report said.
It said many private firms keep the news of the attacks secret "because of fears, some justified, including harm to their reputations and potential loss of customers."
Some worry that the information could become part of the public record in a government database, and some "are concerned that they may be held liable for the threat information they share if it turns out to be inaccurate."
The report noted that current law does protect the confidentiality of certain data, but that this effort could be expanded. It said some industry groups that aggregate information on attacks have been threatened with lawsuits if they implicate certain entities in attacks.
It said some of these concerns can be addressed in cybersecurity legislation, which has been stalled in Congress.
"Some companies take the position that under current law, sharing communications with the government cannot be done without a subpoena," the report said.
"With the right privacy and civil liberties protections in place, there is no valid reason for cyber threat information not to be shared with the federal government and a subpoena requirement can often thwart information sharing to identify and stop cyber attacks underway.
"The law should be changed to explicitly permit such sharing, without a subpoena, under conditions that protect privacy and civil liberties."